Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Resisting Backdoor Attacks in Federated Learning via Bidirectional Elections and Individual Perspective

Zhen Qin, Feiyi Chen, Chen Zhi, Xueqiang Yan, Shuiguang Deng

TL;DR

This work tackles backdoor defenses in federated learning where infected updates are hard to separate due to non-IID data. It presents Snowball, a server-side framework that uses bottom-up voting (K-means) and top-down refinement (VAE-based learning of update differences) to selectively aggregate benign updates. The method demonstrates superior backdoor resistance across five real-world datasets with moderate attack strength and non-IID settings, while maintaining near-parity MA with FedAvg. Snowball’s design supports non-invasive integration into existing FL systems and offers robust performance under practical attack scenarios, contributing a novel perspective on defense-by-filtering anchored in update-level elections.

Abstract

Existing approaches defend against backdoor attacks in federated learning (FL) mainly through a) mitigating the impact of infected models, or b) excluding infected models. The former negatively impacts model accuracy, while the latter usually relies on globally clear boundaries between benign and infected model updates. However, model updates are easy to be mixed and scattered throughout in reality due to the diverse distributions of local data. This work focuses on excluding infected models in FL. Unlike previous perspectives from a global view, we propose Snowball, a novel anti-backdoor FL framework through bidirectional elections from an individual perspective inspired by one principle deduced by us and two principles in FL and deep learning. It is characterized by a) bottom-up election, where each candidate model update votes to several peer ones such that a few model updates are elected as selectees for aggregation; and b) top-down election, where selectees progressively enlarge themselves through picking up from the candidates. We compare Snowball with state-of-the-art defenses to backdoor attacks in FL on five real-world datasets, demonstrating its superior resistance to backdoor attacks and slight impact on the accuracy of the global model.

Resisting Backdoor Attacks in Federated Learning via Bidirectional Elections and Individual Perspective

TL;DR

This work tackles backdoor defenses in federated learning where infected updates are hard to separate due to non-IID data. It presents Snowball, a server-side framework that uses bottom-up voting (K-means) and top-down refinement (VAE-based learning of update differences) to selectively aggregate benign updates. The method demonstrates superior backdoor resistance across five real-world datasets with moderate attack strength and non-IID settings, while maintaining near-parity MA with FedAvg. Snowball’s design supports non-invasive integration into existing FL systems and offers robust performance under practical attack scenarios, contributing a novel perspective on defense-by-filtering anchored in update-level elections.

Abstract

Existing approaches defend against backdoor attacks in federated learning (FL) mainly through a) mitigating the impact of infected models, or b) excluding infected models. The former negatively impacts model accuracy, while the latter usually relies on globally clear boundaries between benign and infected model updates. However, model updates are easy to be mixed and scattered throughout in reality due to the diverse distributions of local data. This work focuses on excluding infected models in FL. Unlike previous perspectives from a global view, we propose Snowball, a novel anti-backdoor FL framework through bidirectional elections from an individual perspective inspired by one principle deduced by us and two principles in FL and deep learning. It is characterized by a) bottom-up election, where each candidate model update votes to several peer ones such that a few model updates are elected as selectees for aggregation; and b) top-down election, where selectees progressively enlarge themselves through picking up from the candidates. We compare Snowball with state-of-the-art defenses to backdoor attacks in FL on five real-world datasets, demonstrating its superior resistance to backdoor attacks and slight impact on the accuracy of the global model.
Paper Structure (37 sections, 2 theorems, 7 equations, 8 figures, 6 tables, 1 algorithm)

This paper contains 37 sections, 2 theorems, 7 equations, 8 figures, 6 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Work
  3. Background
  4. Methodology
  5. Overview
  6. Bottom-up Election
  7. Top-down Election
  8. Convergence Analysis
  9. Experiments
  10. Datasets and Compared Approaches
  11. Datasets
  12. Triggers
  13. Compared Approaches
  14. Experimental Setup
  15. Attacks
  16. ...and 22 more sections

Key Result

Theorem 1

With Assumption assumption-a-b-assumption-a-c, after round $\max(t^{B}, t^{C})$ we have $\mathbb{E}(\|\Delta \mathbf{w}_i^B - \Delta \mathbf{w}_j\|^2) < \mathbb{E}(\|\Delta \mathbf{w}_i^* - \Delta \mathbf{w}_j\|^2)$.

Figures (8)

  • Figure 1: 2D-visualized 50 model updates in one round of FL (practical non-IID MNIST with $\alpha$=0.5, PDR=0.3).
  • Figure 2: Overview of Snowball, which improves the aggregation procedure in FL on the server.
  • Figure 3: Average distance $\overline{\rho}$ between different types of $\Delta \textbf{w}$.
  • Figure 4: Latent features of (a) model updates and (b) differences $\mathbf{d}$ between them outputted by the VAE encoder.
  • Figure 5: Triggers in MNIST by CBA (a) and DBA (b)-(d).
  • ...and 3 more figures

Theorems & Definitions (2)

  • Theorem 1
  • Theorem 2